Data brokers, beware: Distinguishing PADFAA from the DOJ's DSP

Within the past year, the U.S. has adopted two parallel legal frameworks aiming to address the national security risks of transactions involving sensitive personal data: the Protecting Americans' Data from Foreign Adversaries Act of 2024 and the U.S. Department of Justice's Data Security Program. While the two regimes share a common objective — protecting U.S. sensitive personal data from access or misuse by foreign adversaries — they regulate different entities and operate under markedly different structures. For U.S. entities engaging globally, distinguishing between these frameworks is essential.

The DSP is a regulatory program created under Executive Order 14117. It is administered by the DOJ and applies to a broad range of U.S. persons and transaction types. It sets volume-based thresholds for covered data and allows certain data transfers to proceed if security, contractual and diligence requirements are met. The PADFAA, by contrast, was enacted by Congress. Enforced by the Federal Trade Commission, it applies only to data brokers but prohibits transactions of any volume.

Both instruments reflect a growing trend in data regulation, where geopolitical considerations increasingly shape cross-border data practices.  

PADFAA: Scope and core prohibitions

Effective as of June 2024, the PADFAA applies to "data brokers" and prohibits certain data transactions absolutely without any risk-based exceptions or mitigation mechanisms. More specifically, it prohibits any data broker from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to or otherwise making available “personally identifiable sensitive data” of a U.S individual to a “foreign adversary country” or to any entity controlled by a foreign adversary.